Allow to configure a predefined sslPolicy

[jmapro]

Is your feature request related to a problem? Please describe.
I need to disallow TLSv1_0 and TLSv1_1 by using the predefined policy AppGwSslPolicy20170401S. But each time I push this configuration on the application gateway, it's overwrited by the Ingress Controller.

Describe the solution you'd like
Ssl policy is global to the application gateway, so having an annotation like appgw.ingress.kubernetes.io/ssl-policy: "AppGwSSlPolicy20170401S" would be great.

[akshaysngupta]

@jmapro AGIC should not overwrite SSL policy. I tried on my test setup and the policy is retained on updates. Can you check if there is no other component/CI/CD reverting the gateway ?

[jmapro]

Hello @akshaysngupta , Thanks for your answer. I've done more tests and my issue seems coming from Terraform and not AGIC.

But having a solution to configure such parameter from Kubernetes would be great :)

[joelharkes]

I'm using only AGIC but also my SSL Policy i setup is gone, (how) is that possible?

don't use anything else than basic AGIC setup + Cert manager.

[joelharkes]

I tried disabling tls1.1 and 1.2:

$gw = Get-AzApplicationGateway -Name ag-name -ResourceGroup rg-name
Get-AzApplicationGatewaySslPolicy -ApplicationGateway $gw
# response from get
Set-AzApplicationGatewaySslPolicy -ApplicationGateway $gw -PolicyType Predefined -PolicyName AppGwSslPolicy20170401S  -MinProtocolVersion TLSv1_2 -DisabledSslProtocols TLSv1_0,TLSv1_1
Get-AzApplicationGatewaySslPolicy -ApplicationGateway $gw

response:

DisabledSslProtocols     : {TLSv1_0, TLSv1_1}
PolicyType               : Predefined
PolicyName               : AppGwSslPolicy20170401S
CipherSuites             : 
MinProtocolVersion       : TLSv1_2
DisabledSslProtocolsText : [
                             "TLSv1_0",
                             "TLSv1_1"
                           ]
CipherSuitesText         : null

and a day later:

$gw = Get-AzApplicationGateway -Name ag-name -ResourceGroup rg-name
Get-AzApplicationGatewaySslPolicy -ApplicationGateway $gw
#setting is gone

ssl Policy seems gone.

DisabledSslProtocols is absolutely a must for security perspective

[martwana]

I'm also seeing this behaviour. Why is this not supported out the box?

We've just had a bunch of TLSv1.0 warnings in our Pen Test, but because AGIC provisions and manages the load balancer, we cannot control this value.

Can I get an ETA on this feature being available?

[martwana]

@akshaysngupta

[joelharkes]

Actually my comment was wrong, i do think i was able to fix it with the script i just had an issue in the script

[akshaysngupta]

AGIC doesn't modify the SSL policy attached to the gateway. As @joelharkes mentioned, please check if you have script that is modify the policy.

[fvillain]

Oh yes it does. It overrides everything that was already declared in fact.

Edit: in my use-case, i do this:

1. create application-gateway with our own ssl policy through terraform azure provider
2. create the ingress handled by AGIC

Step 2 is overriding everything done in step 1.

[simone]

Guys, I need to do the same, disable TLS 1.0 and 1.1. When I create a new default SSL policy in the Application gateway, after few seconds the policy is deleted automatically. Probably because AGIC ingress rewrite all the rules and in this reconciliation the SSL Policy disappears.

According with Reconciliation feature
https://azure.github.io/application-gateway-kubernetes-ingress/features/agic-reconcile/
To address the problem above, AGIC periodically checks if the latest gateway configuration is different from what it cached, and reconcile if needed to make gateway configuration is eventual correct.

Reconciliation is very useful, but if enabled let you no chance to configure the SSL Policy because it is not supported by AGIC annotations.

[frbosch]

Edit: See my comment below. It looks like SSL Profiles getting removed by AGIC. I can confirm that a custom SSL Policy is not overridden.

[martwana]

My solution was to provision the app gateway with terraform and set the ssl policy there then connect the AGIC to the existing load balancer. Not ideal but it works.

…

On 14 Jan 2022, at 14:18, frbosch ***@***.***> wrote:  Experiencing this also. SSL policy is removed by AGIC. That's absolutely CRITICAL, there is no way to disable TLS 1.0 and 1.1 when AGIC is used. Or do i miss something? — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

[frbosch]

@martwana Thanks, for your feedback. I was using SSL Profiles, and they seem to be removed by AGIC. Setting the SSL policy under Listeners beforehand works.

[aidapsibr]

Am I right in interpreting that there is currently no way to set a default policy and AGIC removes listener policies, so in effect, forces you to use insecure protocols?

[aidapsibr]

Since the new preview ssl policies call out that it will upgrade the entire gateway and you can't mix v1 and v2 policies, maybe that is a work around?

[kevinkupski]

I was able to successfully configure an SSL profile via Terraform

"azurerm_application_gateway" "k8s_ingress" {
  ...
  ssl_profile {
    name = "appGatewaySslProfile"
    ssl_policy {
      policy_type = "Predefined"
      policy_name = "AppGwSslPolicy20220101S"

    }
  }
}

...and then use it via the appgw-ssl-profile annotation. It provisions correctly and applies the correct policy.